Beruflich Dokumente
Kultur Dokumente
Advanced search
IBM home | Products & services | Support & downloads | My account
Hacking techniques
A close examination of the Hex pane of the Sniffer Pro analyzer in Figure 2 reveals ASCII data in clear
view on the right side of the pane. While attached to a switch in the closet, Tommy ran the configuration
while connected via a telnet session. Since the telnet protocol is unsecure and sent via cleartext, it is easy
to see the password: "cisco."
Figure 2. ASCII decode of plaintext data
This is one of the most basic principles of security: Never use a product name as a password. But in spite
of how basic a principle it is, it's remarkable how often it is still done.
Next, turn your attention to some external threats.
External attacks
External attackers are those who must traverse your "defense in depth" to try and break into your systems.
They don't have it as easy as internal attackers. The first scenario involves a fairly common form of
external attack known as Web site defacing. This attack uses password cracking to penetrate the systems
that the attacker wants to deface. Another possible password cracking attack is when an attacker tries to
obtain passwords via Social Engineering. Social Engineering is the tricking of an unsuspecting
administrator into giving the account ID and passwords over to an attacker. Lets take a look at both.
Example: Web site home page defacing
Figure 3 demonstrates a fairly common and simple example of external password cracking: defacing a
Web site's home page. It takes little effort and is usually accomplished by simply exploiting an Internet
Information Server (IIS) that has its permissions set incorrectly. The attacker simply goes to a workstation
and tries to attack the IIS server with an HTML editing tool. When trying to attach over the Internet to the
site, the attacker uses a password generator tool, such as L0phtCrack, which launches a brute force attack
against the server.
Figure 3. Home page replaced by an attacker
Your company's reputation is on the line. Business vendors and associates will lose faith in you if they
perceive that your data is kept on unsecured servers. Make sure you look at inside and outside threats
equally.
Example: Social engineering tricks
Non-tool related tricks to crack passwords are called social engineering attacks. Read this a scenario to
learn more.
Jon is the new security analyst for a large company. His first job is to test his company's security stance.
He of course lets management know what he is about to do (so he doesn't get labeled as an attacker
himself). He wants to see how hard it is to crack into the network without even touching a single tool. He
tries two separate but equally devastating attacks.
As a new employee in a large organization, John isn't known to many people yet, which makes it easy for
him to pull off his first social engineering attack. His first target is the help desk. Jon makes a routine call
to the help desk and asks for a password reset as a supposed remote user. Jon already has half the
information he needs since he knows that the company's naming convention is simply first name and the
first initial of the user's last name. The CIO's name is Jeff and his last name is Ronald, so JeffR is his
login ID. This information is readily available from the company's phone directory. Masquerading as the
CIO, Jon calls the help desk and asks for a password reset because he has forgotten his password. This is a
normal ritual for the help desk technician who resets forgotten passwords 100 times a day and calls the
requestor back letting them know what their knew password is. The help desk technician calls Jon back
five minutes later and lets him know that his new password is "friday" because it happens to be Friday.
Within another 5 minutes, Jon is in the CIO's shared files on the server and in his e-mail.
Jon's next social engineering attack involves a good friend of his who works for the local telephone
company. Jon borrows some of his gear and his belt and badge on his friend's day off. Jon takes his new
gear and heads to another part of the organizations campus where all the disaster recovery routers and
servers are located. This hardware contains a working copy of all the company's current data and is
considered confidential. Jon walks into the campus security office in his Telco costume and explains that
he has been called out by the Local Exchange Carrier (LEC) because a circuit appears to be looped from
the Telco. He needs to be let into the data center so he can check out if there are any alarms on the Smart
Jack.
The onsite administrator escorts Jon to the data center not even checking his ID. Once inside, the
administrator wisely sticks around, so Jon starts his test. After a few minutes, Jon informs the
administrator that he will have to call his office and have them run some more tests so he can loop off the
Smart Jack and try to troubleshoot. Jon lets the administrator know that this will take about 45 minutes, so
the administrator gives Jon his pager number and asks that he page him when he is done to let him out. Jon
has now successfully eliminated the only obstacle between him and the 30 servers all lined up in racks
along the back wall of the data center.
Jon has a few different opportunities now. He can go to every server and start looking for unlocked
consoles, or he can plug his laptop into an open port and start sniffing. Since he really wants to see how far
he can go, he decides to look for open consoles. After five minutes of looking through all the KVM slots,
he finds a Windows NT server running as the Backup Domain Controller for the Domain. Jon pulls a CD
out of his bag and enters it into the CD tray of the server. He installs L0phtCrack onto a BDC for the
companies Domain and runs a dictionary attack. Within five minutes produces the following password:
Yankees. It turns out the lead administrator is a New York Yankees fan. He now has access to the
company's most vital information.
Now look at how this was done.
Figure 4. Using L0phtCrack to break the Administrator password
A protection check list
Here is a checklist of things you can do to make password cracking more difficult:
● Audit your organization! Do a walk through and make sure passwords are not stuck to monitors or
under keyboards.
● Set up dummy accounts. Get rid of the administrator (or admin) account or set it up as a trap and
audit it for attempts.
● Use strong, difficult to guess passwords, and never leave a console unlocked.
● Backups are necessary in case you are compromised. You need a working set of data, so make sure
you have it. Keep the tapes secure too, or the data there will be compromised as well.
● Prevent dumpster diving. Don't throw sensitive information away; shred it or lock it up.
● Check IDs and question people you don't know. When you have visitors, check them out and make
sure they belong.
● Educate your end users. Make sure they aren't prone to social engineering and educate and remind
internal users of the company's security policies.
Summary
In this article I've described some of the psychology behind an attacker's motivation and some of the
low-tech and high-tech methods used to crack passwords. You've looked at several attack scenarios,
including attacks against major companies by a veteran administrator, a help desk technician, and an
outside vandal. You also saw how password crackers use techniques both internally and externally to your
infrastructure. Finally, some ideas on how to properly secure yourself and your systems from the
possibility of a password cracking attack were offered. Combating these attacks ultimately requires a
conscious effort, trained individuals, useful tools, and sound security policies. Hopefully, as a proactive
security analyst, you can make a difference in helping to slow down this malicious activity within your
organizations as well as outside of them. Otherwise, you may find Jon in your server room with a smirk on
his face and your data in his hands.
Resources
● Read the developerWorks article Protecting Passwords: authenticating users, this article is a great
read to get your mind around how to protect your passwords in the first place.
● See also the developerWorks article Setting up a security policy, also a must read.
● The CERT Coordination Center is a center of Internet security expertise at the Software Engineering
Institute, a federally funded research and development center operated by Carnegie Mellon
University. They study Internet security vulnerabilities, handle computer security incidents, and
publish security alerts.
● Check out the following article available from the CERT organization on Protecting Yourself from
Password File Attacks.
● Password Cracking Activity discovered by the CERT organization can be researched at
http://www.cert.org/incident_notes/IN-98.03.html.
● Password cracking tools are available worldwide over the Internet. Check out
http://www.pwcrack.com for security and cracking resources available on the Internet.
● Sans.org is the leading source of Internet and Network security administration worldwide. You can
research many topics in their extensive library of information.
● General Security information can be found and researched on the Security Focus Web site.
● See also IBM Security Solutions site.
About the author
Robert J. Shimonski (Truesecure TICSA, Cisco CCDP, CCNP, Nortel NNCSS, Microsoft MCSE, MCP+I,
Novell Master CNE, CIP, CIBS, IWA CWP, Prosoft CIW, SANS GSEC, GCIH, CompTIA Server+,
Network+, Inet+, A+, e-Biz+, Symantec SPS and NAI Sniffer SCP) is a Lead Network and Security
Engineer for a leading manufacturer company. Robert's specialties include network infrastructure design
with the Cisco and Nortel product line, network security design and management with CiscoSecure and
PIX firewalls, network management and troubleshooting with CiscoWorks, CiscoSecure, Sniffer-based
technologies, and HPOV. Robert is the author of many security-related articles and published books,
including the upcoming Sniffer Network Optimization and Troubleshooting Handbook from Syngress
Media, Inc. You can contact Robert at rshimonski@rsnetworks.net.
Killer! (5) Good stuff (4) So-so; not bad (3) Needs work (2) Lame! (1)
Comments?
Submit feedback